1 / 49

Processing Crime and Incident Scenes

Processing Crime and Incident Scenes. Objectives. Explain the rules for controlling digital evidence Describe how to collect evidence at private-sector incident scenes Explain guidelines for processing law enforcement crime scenes List the steps in preparing for an evidence search

karenryan
Download Presentation

Processing Crime and Incident Scenes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Processing Crime and Incident Scenes

  2. Objectives • Explain the rules for controlling digital evidence • Describe how to collect evidence at private-sector incident scenes • Explain guidelines for processing law enforcement crime scenes • List the steps in preparing for an evidence search • Describe how to secure a computer incident or crime scene Guide to Computer Forensics and Investigations Fifth Edition

  3. Objectives • Explain guidelines for seizing digital evidence at the scene • List procedures for storing digital evidence • Explain how to obtain a digital hash • Review a case to identify requirements and plan your investigation Guide to Computer Forensics and Investigations Fifth Edition

  4. Identifying Digital Evidence • Digital evidence • Can be any information stored or transmitted in digital form • U.S. courts accept digital evidence as physical evidence • Digital data is treated as a tangible object • Groups such as the Scientific Working Group on Digital Evidence (SWGDE) set standards for recovering, preserving, and examining digital evidence Guide to Computer Forensics and Investigations Fifth Edition

  5. Identifying Digital Evidence • General tasks investigators perform when working with digital evidence: • Identify digital information or artifacts that can be used as evidence • Collect, preserve, and document evidence • Analyze, identify, and organize evidence • Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably • Collecting digital devices and processing a criminal or incident scene must be done systematically Guide to Computer Forensics and Investigations Fifth Edition

  6. Understanding Rules of Evidence • Data you discover from a forensic examination falls under your state’s rules of evidence • Or the Federal Rules of Evidence (FRE) • Digital evidence is unlike other physical evidence because it can be changed more easily • The only way to detect these changes is to compare the original data with a duplicate • Most federal courts have interpreted computer records as hearsay evidence • Hearsay is secondhand or indirect evidence Guide to Computer Forensics and Investigations Fifth Edition

  7. Understanding Rules of Evidence • Business-record exception • Allows “records of regularly conducted activity,” such as business memos, reports, records, or data compilations • Generally, digital records are considered admissible if they qualify as a business record • Computer records are usually divided into: • Computer-generated records • Computer-stored records Guide to Computer Forensics and Investigations Fifth Edition

  8. Collecting Evidence in Private-Sector Incident Scenes • Private-sector organizations include: • Businesses and government agencies that aren’t involved in law enforcement • Non-government organizations (NGO) must comply with state public disclosure and federal Freedom of Information Act (FOIA) laws • And make certain documents available as public records • FOIA allows citizens to request copies of public documents created by federal agencies Guide to Computer Forensics and Investigations Fifth Edition

  9. Collecting Evidence in Private-Sector Incident Scenes • A special category of private-sector businesses includes ISPs and other communication companies • ISPs can investigate computer abuse committed by their employees, but not by customers • Except for activities that are deemed to create an emergency situation • Investigating and controlling computer incident scenes in the corporate environment • Much easier than in the criminal environment • Incident scene is often a workplace Guide to Computer Forensics and Investigations Fifth Edition

  10. Collecting Evidence in Private-Sector Incident Scenes • Companies should display a warning banner and publish a policy • Stating that they reserve the right to inspect computing assets at will • Corporate investigators should know under what circumstances they can examine an employee’s computer • Every organization must have a well-defined process describing when an investigation can be initiated Guide to Computer Forensics and Investigations Fifth Edition

  11. Processing Law Enforcement Crime Scenes • You must be familiar with criminal rules of search and seizure • You should also understand how a search warrant works and what to do when you process one Guide to Computer Forensics and Investigations Fifth Edition

  12. Understanding Concepts and Terms Used in Warrants • Innocent information • Unrelated information • Often included with the evidence you’re trying to recover • Judges often issue a limiting phrase to the warrant • Allows the police to separate innocent information from evidence Guide to Computer Forensics and Investigations Fifth Edition

  13. Understanding Concepts and Terms Used in Warrants • Plain view doctrine • Objects falling in plain view of an officer who has the right to be in position to have that view are subject to seizure without a warrant and may be introduced in evidence • Three criteria must be met: • Officer is where he or she has a legal right to be • Ordinary senses must not be enhanced by advanced technology in any way • Any discovery must be by chance Guide to Computer Forensics and Investigations Fifth Edition

  14. Understanding Concepts and Terms Used in Warrants • The plain view doctrine’s applicability in the digital forensics world is being rejected • Example - In a case where police were searching a computer for evidence related to illegal drug trafficking: • If an examiner observes an .avi file and find child pornography, he must get an additional warrant or an expansion of the existing warrant to continue the search for child pornography Guide to Computer Forensics and Investigations Fifth Edition

  15. Preparing for a Search • Preparing for a computer search and seizure • Probably the most important step in computing investigations • To perform these tasks • You might need to get answers from the victim and an informant • Who could be a police detective assigned to the case, a law enforcement witness, or a manager or coworker of the person of interest to the investigation Guide to Computer Forensics and Investigations Fifth Edition

  16. Identifying the Nature of the Case • When you’re assigned a digital investigation case • Start by identifying the nature of the case • Including whether it involves the private or public sector • The nature of the case dictates how you proceed • And what types of assets or resources you need to use in the investigation Guide to Computer Forensics and Investigations Fifth Edition

  17. Identifying the Type of OS or Digital Device • For law enforcement • This step might be difficult because the crime scene isn’t controlled • If you can identify the OS or device • Estimate the size of the drive on the suspect’s computer • And how many devices to process at the scene • Determine which OSs and hardware are involved Guide to Computer Forensics and Investigations Fifth Edition

  18. Determining Whether You Can Seize Computers and Digital Devices • The type of case and location of the evidence • Determine whether you can remove digital evidence • Law enforcement investigators need a warrant to remove computers from a crime scene • And transport them to a lab • If removing the computers will irreparably harm a business • The computers should not be taken offsite Guide to Computer Forensics and Investigations Fifth Edition

  19. Determining Whether You Can Seize Computers and Digital Devices • Additional complications: • Files stored offsite that are accessed remotely • Availability of cloud storage, which can’t be located physically • Stored on drives where data from many other subscribers might be stored • If you aren’t allowed to take the computers to your lab • Determine the resources you need to acquire digital evidence and which tools can speed data acquisition Guide to Computer Forensics and Investigations Fifth Edition

  20. Getting a Detailed Description of the Location • Get as much information as you can about the location of a digital crime • Identify potential hazards • Interact with your HAZMAT (hazardous materials) team • HAZMAT guidelines Guide to Computer Forensics and Investigations Fifth Edition

  21. Determining Who Is in Charge • Corporate computing investigations • Usually require only one person to respond to an incident • Law enforcement agencies • Typically handle large-scale investigations • Designate lead investigators in large-scale investigations • Anyone assigned to the scene should cooperate with the designated leader to ensure the team addresses all details when collecting evidence Guide to Computer Forensics and Investigations Fifth Edition

  22. Using Additional Technical Expertise • Determine whether you need specialized help to process the incident or crime scene • You may need to look for specialists in: • OSs • RAID servers • Databases • Finding the right person can be a challenge • Educate specialists in investigative techniques • Prevent evidence damage Guide to Computer Forensics and Investigations Fifth Edition

  23. Determining the Tools You Need • Prepare tools using incident and crime scene information • Create an initial-response field kit • Should be lightweight and easy to transport • Create an extensive-response field kit • Includes all tools you can afford to take to the field • When at the scene, extract only those items you need to acquire evidence Guide to Computer Forensics and Investigations Fifth Edition

  24. Determining the Tools You Need Guide to Computer Forensics and Investigations Fifth Edition

  25. Determining the Tools You Need Guide to Computer Forensics and Investigations Fifth Edition

  26. Determining the Tools You Need Guide to Computer Forensics and Investigations Fifth Edition

  27. Preparing the Investigation Team • Before initiating the search: • Review facts, plans, and objectives with the investigation team you have assembled • Goal of scene processing • To collect and secure digital evidence • Digital evidence is volatile • Develop skills to assess facts quickly • Slow response can cause digital evidence to be lost Guide to Computer Forensics and Investigations Fifth Edition

  28. Securing a Computer Incident or Crime Scene • Goals • Preserve the evidence • Keep information confidential • Define a secure perimeter • Use yellow barrier tape • Legal authority for a corporate incident includes trespassing violations • For a crime scene, it includes obstructing justice or failing to comply with a police officer Guide to Computer Forensics and Investigations Fifth Edition

  29. Securing a Computer Incident or Crime Scene • Professional curiosity can destroy evidence • Involves police officers and other professionals who aren’t part of the crime scene processing team • Automated Fingerprint Identification System (AFIS) • A computerized system for identifying fingerprints that’s connected to a central database • Used to identify criminal suspects and review thousands of fingerprint samples at high speed • Police can take elimination prints of everyone who had access to the crime scene Guide to Computer Forensics and Investigations Fifth Edition

  30. Seizing Digital Evidence at the Scene • Law enforcement can seize evidence • With a proper warrant • Corporate investigators might have the authority only to make an image of the suspect’s drive • When seizing digital evidence in criminal investigations • Follow standards for seizing digital data • Civil investigations follow same rules • Require less documentation though • Consult with your attorney for extra guidelines Guide to Computer Forensics and Investigations Fifth Edition

  31. Preparing to Acquire Digital Evidence • The evidence you acquire at the scene depends on the nature of the case • And the alleged crime or violation • Ask your supervisor or senior forensics examiner in your organization the following questions: • Do you need to take the entire computer and all peripherals and media in the immediate area? • How are you going to protect the computer and media while transporting them to your lab? • Is the computer powered on when you arrive? Guide to Computer Forensics and Investigations Fifth Edition

  32. Using a Technical Advisor • A technical advisor can help: • List the tools you need to process the incident or crime scene • Guide you about where to locate data and helping you extract log records • Or other evidence from large RAID servers • Create the search warrant by itemizing what you need for the warrant Guide to Computer Forensics and Investigations Fifth Edition

  33. Using a Technical Advisor • Responsibilities • Know all aspects of the seized system • Direct investigator handling sensitive material • Help secure the scene • Help document the planning strategy • Conduct ad hoc trainings • Document activities • Help conduct the search and seizure Guide to Computer Forensics and Investigations Fifth Edition

  34. Documenting Evidence in the Lab • Record your activities and findings as you work • Maintain a journal to record the steps you take as you process evidence • Your goal is to be able to reproduce the same results • When you or another investigator repeat the steps you took to collect evidence • A journal serves as a reference that documents the methods you used to process digital evidence Guide to Computer Forensics and Investigations Fifth Edition

  35. Processing and Handling Digital Evidence • Maintain the integrity of digital evidence in the lab • As you do when collecting it in the field • Steps to create image files: • Copy all image files to a large drive • Start your forensics tool to analyze the evidence • Run an MD5 or SHA-1 hashing algorithm on the image files to get a digital hash • Secure the original media in an evidence locker Guide to Computer Forensics and Investigations Fifth Edition

  36. Storing Digital Evidence • The media you use to store digital evidence usually depends on how long you need to keep it • CDs, DVDs, DVD-Rs, DVD+Rs, or DVD-RWs • The ideal media • Capacity: up to 17 GB • Lifespan: 2 to 5 years • Magnetic tapes - 4-mm DAT • Capacity: 40 to 72 GB • Lifespan: 30 years • Costs: drive: $400 to $800; tape: $40 Guide to Computer Forensics and Investigations Fifth Edition

  37. Storing Digital Evidence • Super Digital Linear Tape (Super-DLT or SDLT) • Specifically designed for large RAID data backups • Can store more than 1 TB of data • Smaller external SDLT drives can connect to a workstation through a SCSI card • Don’t rely on one media storage method to preserve your evidence • Make two copies of every image to prevent data loss • Use different tools to create the two images Guide to Computer Forensics and Investigations Fifth Edition

  38. Evidence Retention and Media Storage Needs • To help maintain the chain of custody for digital evidence • Restrict access to lab and evidence storage area • Lab should have a sign-in roster for all visitors • Maintain logs for a period based on legal requirements • You might need to retain evidence indefinitely • Check with your local prosecuting attorney’s office or state laws to make sure you’re in compliance Guide to Computer Forensics and Investigations Fifth Edition

  39. Evidence Retention and Media Storage Needs Guide to Computer Forensics and Investigations Fifth Edition

  40. Documenting Evidence • Create or use an evidence custody form • An evidence custody form serves the following functions: • Identifies the evidence • Identifies who has handled the evidence • Lists dates and times the evidence was handled • You can add more information to your form • Such as a section listing MD5 and SHA-1 hash values Guide to Computer Forensics and Investigations Fifth Edition

  41. Documenting Evidence • Include any detailed information you might need to reference • Evidence bags also include labels or evidence forms you can use to document your evidence • Use antistatic(motion less) bags for electronic components Guide to Computer Forensics and Investigations Fifth Edition

  42. Obtaining a Digital Hash • Cyclic Redundancy Check (CRC) • Mathematical algorithm that determines whether a file’s contents have changed • Not considered a forensic hashing algorithm • Message Digest 5 (MD5) • Mathematical formula that translates a file into a hexadecimal code value, or a hash value • If a bit or byte in the file changes, it alters the hash value, which can be used to verify a file or drive has not been tampered with Guide to Computer Forensics and Investigations Fifth Edition

  43. Obtaining a Digital Hash • Three rules for forensic hashes: • You can’t predict the hash value of a file or device • No two hash values can be the same • If anything changes in the file or device, the hash value must change • Secure Hash Algorithm version 1 (SHA-1) • A newer hashing algorithm • Developed by the National Institute of Standards and Technology (NIST) Guide to Computer Forensics and Investigations Fifth Edition

  44. Obtaining a Digital Hash • In both MD5 and SHA-1, collisions have occurred • Most digital forensics hashing needs can be satisfied with a nonkeyed hash set • A unique hash number generated by a software tool, such as the Linux md5sum command • Keyed hash set • Created by an encryption utility’s secret key • You can use the MD5 function in FTK Imager to obtain the digital signature of a file • Or an entire drive Guide to Computer Forensics and Investigations Fifth Edition

  45. Obtaining a Digital Hash Guide to Computer Forensics and Investigations Fifth Edition

  46. Reviewing a Case • General tasks you perform in any computer forensics case: • Identify the case requirements • Plan your investigation • Conduct the investigation • Complete the case report • Critique(critical evaluation) the case Guide to Computer Forensics and Investigations Fifth Edition

  47. Sample Civil Investigation • Most cases in the corporate environment are considered low-level investigations • Or noncriminal cases • Common activities and practices • Recover specific evidence • Suspect’s Outlook e-mail folder (PST file)Personal Storage Table • Covert(secret) surveillance • Its use must be well defined in the company policy • Risk of civil or criminal liability • Sniffing tools for data transmissions Guide to Computer Forensics and Investigations Fifth Edition

  48. Sample Criminal Investigation • Computer crimes examples • Fraud • Check fraud • Homicides • Need a warrant to start seizing evidence • Limit searching area Guide to Computer Forensics and Investigations Fifth Edition

  49. Sample Criminal Investigation Guide to Computer Forensics and Investigations Fifth Edition

More Related